VNR: January 2012

Threat and Spamscape Report

2012

What We Saw in January

January was business as usual in the world of spam and the Zeus family of Trojans made sure that malicious traffic would remain on course. In other news, netizens of the world came together in one day of solidarity to oppose impending SOPA and PIPA Acts. It seems like everyone except Hollywood, their lobbyists, and the uninformed creators of the bill realize that this move has far more implications than trying to thwart online piracy. Other highlights from the month of January include:

Zeus falls under the guise of Wells Fargo Bank. This is nothing unusual, though what is interesting here is that this batch came with a hidden message. We can't be sure what the reason behind the message is, but we do know these people want your money.

Researchers have uncovered the identity of a group suspected of creating and seeding an online family of malware known as Koobface. Koobface, as its mildly scrambled up name implies, has made its home on the social network Facebook. Now if they can get the authorities to cooperate, we'll be all set.

The hacktivist group Anonymous remained active last month by tricking people into playing part in a DDoS attack against the US government and some entertainment related industries through links in Twitter messages.

On Wednesday the 18th of January, thousands of websites joined together to protest the looming SOPA and PIPA acts. To show their disapproval, all participating sites went "black", or shut down for the day. These sites included big names such as Wikipedia and Google.

At the end of each calendar year, the AppRiver Security Analyst Teams makes a list of predictions about cyber security targets for the upcoming year. Well, it hasn't even been a full month yet and we've already seen some of our forecasts realized.

As this year's tax time approaches, Black Hats dress up their malware campaigns to appear to have come from reputable sources in order to trick victims into installing their bank account draining Trojans.

Total Email Traffic Volume

This chart represents both total and spam traffic throughout the month of January. Spam traffic, which peaked in November 2011, is down for the second straight month. In all, AppRiver quarantined just over 2.2 billion spam messages in January 2012.

Tests Failed

This chart represents the number of times messages failed various tests over the past month. Keep in mind that many messages failed multiple tests; hence the total from these charts will surpass the total individual pieces of spam seen during the month of January.

Regions of Origin

This graph represents both spam and malicious email traffic by region.

Top Ten Countries of Origin

This chart represents the top countries from which spam originated in January 2012. India has solidified its place as the world's leading superpower when it comes to spam output

Top Email-Delivered Viral Threats

These are the top 20 malware threats we saw last month in order of frequency, with the most frequent appearing in the top postiion. The virus names that begin with "X." signify rules that were written by AppRiver Analysts. (This does not mean that other anti-virus vendors didn't eventually have definitions in place for these viruses; it simply means that AppRiver often had protection in place before many of them).

X.UPX.App.pakuber

X.UPX.App.pakuberc

X.W32.PX.pakb

W32\Mydoom.Q_worm

W32\TrojanDownloader.Zurg

HTML\Phishing.Gen_trojan

W32\Mydoom.R_worm

X.Mal.BredoZp-B.ps

W32\Merond.O_worm

X.W32.Netsky.Q

X.W32\Yakes.ticktr.pz

X.win32.worm.20080529

PDF\WorldBusinessGuide_ap

W32\Spy.Zbot.YW_trojan

X.AmerAir.Troj.ndg1219a

W32\Netsky.C_worm

W32\Sality.NAJ_virus

X.AAticket.zip119JR

W32\Mydoom.NAC_worm

W32\Netsky.Q_worm

30 Day Virus Activity

This chart represents email-borne virus and malware activity during the month of January as tracked by AppRiver filters. Virus message traffic decreased in January - corresponding with the overall decline of spam messages. In fact, January and February are traditionally two of the weakest months for spam and virus-borne email output, and it seem as though this year is no different. We expect to see this dip continue well into next month before traffic resumes its upward trend.

Image Spam

The chart below represents total Image spam seen by AppRiver filters in January.

Tax Season Brings the Usual Malware

As tax season approaches so do malware campaigns attempting to capitalize on everyone's favorite time of year. In the US, people begin to file their taxes as early as January and some as late as mid-April. Regardless of when filing occurs, there will always be a piece of malware or spam customized to match. This month, for example, we saw a well-made campaign utilizing the name, Fidelity Investments. Scammers made sure to make their email appear legit by using Fidelity's official email newsletters while stripping out graphics and links located within. Then, they simply added their custom message and malicious payload, and we're ready to roll. Their final product resembled something that one may expect to receive from any investment firm. The campaign informs recipients that their statement is ready to review. The attachment included with the email is supposed to be the "statement", but it is actually another variant of Zeus. If the victim were unlucky enough to have unzipped and double-clicked the attachment, beneath the surface the malware would have made a connection to a domain by the name of tunepage[dot]ru where it would have downloaded a new binary - wuozdea.exe. This component is then executed and begins to launch new processes to add exceptions for itself in the victim's firewall. This new unrestricted hole in the firewall is then used to communicate captured information from the victim back to its command servers. Lucky for you though, AppRiver was pre-emptively catching all observed versions before they made it to mailboxes.

Zeus: Environmental Activist

Speaking of Zeus, and in addition to the Fidelity Investment scams, we also saw a campaign masquerading as Wells Fargo. This one was a little different, but the difference wouldn't have been noticed without a deeper look into its devious inner workings. Just when we began to think that our old friend Zeus, the banking credential stealing scourge, was just a shallow one-sided thief, something like this happens. During the first week of January we saw several varieties of the Zeus banking Trojan hit our filters, but this one in particular came with a bonus environmental message hidden within.

On the outside this Trojan was dressed up as a "Credit Notification" from Wells Fargo informing recipients that their accounts had been credited $11,000.00! Wow, that's a lot, and for those who may believe that this must be some sort of mistake, the authors of the email attached handy details of the transaction in a file suitably named "transaction&details.zip".

Once executed, the attachment went to work embedding itself on the victim's machine. A file by the name of unve.exe was created in multiple instances that opened up network connections and was in charge, along with a batch file by the name of tmp6f953619.bat, of monitoring and stealing banking credentials.

There was one curious behavior that happened behind the scenes, however. The malware also opened a network connection, silently downloaded a Jpg file from a DropBox account, and left it on the newly infected PC. The image was entitled "climate_killing_banks.jpg" and depicted a bar chart of the top 20 banks that have financed coal electricity and coal mining since 2005. Obviously a chart created to point out those banks who contribute to negative environmental impact, or perhaps a chart created by the coal industry to point out their best supporters, it could go either way. This image was never opened or displayed during infection, it was simply left behind for someone to find later. This is certainly an interesting message from these thieves, one that says "We may be robbing you blind, but we have real concerns too. Let's make this a better world to live in" (Or something like that).

2012: Attacks Underway

2011 was a year riddled with data breaches and malware outbreaks. Less than three weeks into 2012 and we're already seeing a few of our security predictions for 2012 realized.

More High Profile Data Breaches- Data breaches were rampant in 2011 with businesses such as Sony, HB Gary Federal, RSA, WordPress, Epsilon and many others being infiltrated and pillaged. It seemed like the there was a different breach for every day of the week. Well it did not take long in 2012 for the trend to continue. A few days ago Zappos (online shoe and clothing retailer) reported being hacked and exposing data for a whopping 24 million customers. Client information exposed in the breach included names, address, email, phone numbers, last four digits of credit card on file and passwords(although scrambled). Even though no full credit card information was reported to have been exposed, there is still some danger. If the passwords are recovered by the hackers, they could be used to access the emails of the many individuals that are in the habit of using the same password across all of their personal accounts. Believe it or not this happens a lot more often than one might think. Additionally, the collected personal data could be used in more directed or personalized attacks as well as kept to be later correlated with other stolen data. The fallout for the companies that suffer these types of breaches can be detrimental. In the case of Zappos there will almost certainly be cancelled accounts, lost sales and a hit to their reputation. There is even news that there has been a class action lawsuit filed on behalf of the customers involved. There is a high degree of certainty that these breaches will continue throughout 2012

Malware Using Social Media- Social Networking sites such as Facebook, Twitter and the like have all become a very popular vector for malware distribution. Whether it is being distributed on the social sites themselves or spam emails posing as correspondence from the site, this method has only been growing in popularity and will proliferate in 2012. We are currently monitoring many malicious campaigns that are attempting to pose as legitimate social networking communications. One campaign came in droves on the 18th and posed as a friend invite from Facebook. The message included a link to a website hosting a malicious Javascript. In just a few seconds the victim's machine could have communicated with a host and installed a Trojan.
Here is a look at the message:

These attacks are nothing new but sometimes less really is more and let's face it, who isn't at least a little curious about that friend request they just got? So what if you don't recognize the name. It is just one little click. Given their effectiveness, these attacks will be numerous in 2012.

The Internet Goes Black

On Wednesday, January 18th, a large group of websites joined together in protest to prove a point: to show what the internet would look like if the proposed Stop Online Piracy Act (SOPA) and Protect Intellectual Property Act (PIPA) passed. In fact, website owners shutdown sites for the entire day. The result essentially blacked out a large portion of the Internet, with many well-known sites going dark, including: Google, Wikipedia and Reddit.

SOPA and PIPA are based on a good idea. Its intent is to stop online piracy of things such as software and movies by making the environment a little tougher through legislation. The problem is that the bills were so broadly worded that they did not translate very well in regards to how the Internet actually functions. The Electronic Frontier Foundation argues SOPA gives individuals and corporations unprecedented power to silence speech online. SOPA gives the government even more power to censor. SOPA uses vague language that is sure to be abused. And SOPA would not stop online piracy. People arguing in favor of SOPA and PIPA believe that these claims are blown out of proportion, and past legal actions against sites involved with copyright infringement triggered similar doomsday reactions. According to Cary Sherman, CEO of the Recording Industry Association of America, digital music innovation has continued to flourish since then.

Anonymous Remains Busy

Owners of the site Megaupload were arrested in January, and then their site was shutdown. Megaupload was a file sharing site where a good deal of illegal file sharing took place, hence the arrest. It also happened to be a favorite of the hacktivist group Anonymous. In retaliation to the shutdown, Anonymous began a large scale Distributed Denial of Service attack against US government and entertainment industry websites. In the past when Anonymous had done something like this they would recruit followers to help in forums such as 4chan and supply them with a tool known as LOIC. LOIC as it turns out is a rather dangerous tool for script kiddies to use because if it's not configured and used properly, it can lead authorities directly to their doorsteps, as the attacking IP is transparent at the target site. This time, however, Anonymous decided to take a different approach- sending out Tweets with a link. The link was then shared over and over again on Twitter. Once these links were clicked, it would take users to a site where Javascript would run in the background immediately flooding Anonymous' targets. This way everyone that went to the site would be a part of the attack.

The Gig is Up for the Koobface Gang

Thanks to the tireless efforts of the Facebook Security Team, five men have been ousted as the people behind the Koobface family of malware that had plagued Facebook for several years now. These five men were traced to St. Petersburg, Russia where they were living high on the hog. Their eventual undoing was through a sloppy mistake made on one of their command and control severs. First the person responsible for the C&C's upkeep accidentally left a service available which allowed any visitor to view inbound traffic data, and after that, analytics software installed on the machine led researchers to the Koobface main server in charge of pushing out all major updates. Once this IP was realized, the ball started rolling. Domains that were hosted on the same server were then linked to two of the five men involved with the malware distribution ring. Ironically, the gang's favorite infection vectors, social networks, were then used to put all of the pieces together utilizing information that the participators left out in the open on these sites and others. Now a wealth of information has been collected on these men, and Russian authorities have been informed. Even though none of the men have yet to be arrested, their C&C server has been brought down, and Koobface is no more. Now we just wait until the foreign authorities do the right thing.